ENS audit: preparation and keys to pass it.

The ENS certification audit is the moment of truth. After months of work on adequacy to the ENS (Spanish National Security Framework), everything is decided in a few days where a team of accredited auditors will assess whether your organisation actually complies with the requirements it claims to comply with. The difference between passing the audit at the first attempt or needing costly corrective rounds almost always lies in the quality of preparation. This guide gives you the keys to reach audit day with the highest confidence.

What auditors assess: approach and scope

ENS auditors do not look for perfection. They look for evidence that your organisation has implemented an information security management system that works effectively, that the controls declared in the Statement of Applicability are actually operational, and that there is a culture of continuous improvement in security.

The audit covers three dimensions. The first is documentary: does the required documentation exist, is it coherent and up to date? The second is implementation: are the controls really in place or only documented? The third is effectiveness: do the controls work and produce the expected results?

Essential documentation for the audit

Before the auditors arrive, make sure all key documentation is prepared in an organised and accessible way.

Mandatory documents

The information security policy is the founding document. It must strictly meet the requirements of Annex II of the ENS: identify those responsible, establish the security principles, classify the information, define risk management and contemplate training.

The risk analysis must be complete, up to date and produced with a recognised methodology (MAGERIT is the reference). Auditors will verify that all relevant assets are identified, that threats are realistic, that valuations are justified and that selected safeguards are proportionate.

The Statement of Applicability (SoA) maps the 73 ENS controls to their implementation status. For each control it must indicate whether it applies (with justification if not), its implementation status, the available evidence and the reference documents.

Security procedures detail how the policies and standards are executed day to day. Auditors will verify the existence of procedures at least for incident management, access control, change management, backups, service continuity and monitoring.

Records and evidence demonstrate that the procedures are actually applied. They include access logs, incident records, security committee meeting minutes, internal audit reports, training records and evidence of periodic reviews.

Supporting documents that auditors value

The improvement plan shows the organisation does not settle for minimum compliance but pursues excellence. The internal pre-audit reports demonstrate maturity. Security indicators evidence active monitoring. And an up-to-date asset inventory is indispensable for the risk analysis.

Practical tips to pass the audit

Run a rigorous internal audit first

The internal audit is your chance to detect and correct problems before the external auditors do. Take it seriously: hire an internal auditor with ENS experience or train one of your technicians. The findings of the internal audit and the corrective actions taken show the external auditor that your continuous improvement system works.

Prepare your team for interviews

Auditors will interview the security officer, the system owner, technical staff and potentially end users. Make sure all these people know the security policy and its essential content, know which procedures apply to them and where to find them, can describe how they act in the face of a security incident, and know their responsibilities in protecting information.

It is not about reciting documents from memory: it is about demonstrating that security is part of their daily work.

Organise evidence so it is easy to find

Nothing frustrates an auditor more than asking for evidence and having to wait hours for someone to find it. Prepare an evidence folder organised by ENS controls, with an index and quick access. This conveys organisation, makes the auditor's work easier and translates into a smoother audit and a better overall impression.

Do not try to hide weaknesses

If there are controls that are not yet fully implemented, it is better to acknowledge them openly and show a credible action plan than to try to disguise them. Auditors have enough experience to detect attempts at cover-up, and transparency generates more confidence than apparent perfection.

Designate a main point of contact

The auditor needs a single point of contact to coordinate interviews, facilitate evidence and resolve logistical questions. This role is usually taken on by the security officer or the consultant who has accompanied implementation.

The 15 most frequent non-conformities in ENS audits

Knowing the most common mistakes is the best way to avoid them. These are the non-conformities that appear most often.

In the organisational framework, the most common are an incomplete security policy (missing elements from Annex II), security roles not formally designated, and the absence of a security committee or minutes evidencing its operation.

In the operational framework, the standout issues are an outdated or incomplete risk analysis, weak access control (generic accounts, excessive privileges, weak passwords), the absence of formal change management, untested continuity plans and insufficient monitoring (logs that are never reviewed).

In the protection measures, the most frequent non-conformities are training and awareness without evidence, inadequate cryptographic protection, media management with no procedure, insufficient physical security in server rooms, and unencrypted communications on public networks.

After the audit: what to expect

Once the on-site audit is complete, the audit team will produce its report within two to four weeks. If there are no major non-conformities, you will receive the certificate after resolving any minor ones. If there are major non-conformities, you will have a period to remediate them and present evidence of correction.

Remember that the certificate is valid for two years, with an intermediate follow-up audit. Do not relax controls after obtaining the certificate: the follow-up audit will verify that the system is maintained and improved.

Specific preparation for town councils and local authorities

Local authorities face additional challenges: limited budgets, scarce technical staff and legacy information systems. The key for these bodies is to tackle adequacy progressively, leverage the free CCN tools (PILAR, CLARA, ANA, microCLOUD) and, where resources allow, rely on specialised external advice familiar with the realities of the Spanish local administration. See our specific guide on ENS for town councils.

📩 Have an ENS audit coming up and want to be sure of passing it the first time? Get in touch. We help you prepare your organisation with a pre-audit that identifies and corrects weaknesses before the auditors arrive.

Need help with this? Get in touch — first 45-minute session at no cost, with a clear action plan and transparent costs in €.

---

Author: Ángel Ortega Castro — independent consultant in strategy, quality and digitalisation for Spanish SMEs and public administrations.